As allegations of vote rigging and manipulation continue to plague the 2016 election, one developer is heading straight to the source to investigate—the source code, that is.Regardless of what state you live in, one common denominator is direct recording electronic (DRE) machines. While some states use paper ballots and only five states (Delaware, Georgia, Louisiana, South Carolina, and New Jersey) use DRE machines exclusively, many use a combination of both, which means the machines are used in some capacity all around the country. While it’s understandable to expect slight variations from state to state, you would imagine that there would be some controls in place to make sure the code of voting machines would be secure. But the reality makes dimpled chads look like a walk in the park.Following the last election, Emily Gorcenski, a developer and writer in Virginia, was curious about those standards. What security measures are in place to ensure the software code regulating our elections doesn’t accidentally switch or erase a vote?
After a viral tweetstorm about how one machine’s source code guidelines focused on the code’s style rather than how it functioned, Gorcenski took to software community Github to report in further detail.
Voting machines have a lot of components that need to be tested. Electrical systems, physical cases, security locks, scanners, speakers, and all that stuff has to meet certain engineering quality standards. Certification bodies exist to test these machines. However, software is a more mysterious being. Software verification is very hard; in fact, it’s one of the hardest problems out there.
Software can introduce lots of failures: it can change a vote, it can count a vote twice or not at all, it can lose votes. So one would expect that voting machine software is thoroughly checked and ensured that the answer it outputs is always the correct answer. My findings indicate that this is not the case.
Furthermore, Gorcenski says, “The software standards for voting machines mostly govern code style … [which] is form, not function.” And “most of the style review was performed by automated tools, not humans. This means that backdoors or other attempts at deliberate malfeasance can be easy to sneak into the software.”